Philipp JovanovicSwiss Federal Institute of Technology in Lausanne | EPFL · Decentralized and Distributed Systems Lab (DeDiS)
Philipp Jovanovic
Dr. rer. nat.
About
28
Publications
8,702
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
3,033
Citations
Introduction
I'm a post-doctoral researcher at École Polytechnique Fédérale de Lausanne with the Decentralized and Distributed Systems (DeDiS) lab of Prof. Bryan Ford.
Additional affiliations
Education
January 2011 - October 2015
October 2005 - November 2010
Publications
Publications (28)
We investigate nonce reuse issues with the GCM block cipher mode as used in TLS and focus in particular on AES-GCM, the most widely deployed variant. With an Internet-wide scan we identified 184 HTTPS servers repeating nonces, which fully breaks the authenticity of the connections. Affected servers include large corporations, financial institutions...
While showing great promise, Bitcoin requires users to wait tens of minutes for transactions to commit - even then offering only probabilistic guarantees. This paper introduces ByzCoin, a novel Byzantine consensus protocol that leverages scalable collective signing to commit Bitcoin transactions irreversibly within seconds. ByzCoin achieves Byzanti...
The secret keys of critical network authorities - such as time, name, certificate, and software update services - represent high-value targets for hackers, criminals, and spy agencies wishing to use these keys secretly to compromise other hosts. To protect authorities and their clients proactively from undetected exploits and misuse, we introduce C...
A popular approach to tweakable blockcipher design is via masking, where a certain primitive (a blockcipher or a permutation) is preceded and followed by an easy-to-compute tweak-dependent mask. In this work, we revisit the principle of masking. We do so alongside the introduction of the tweakable Even-Mansour construction MEM. Its masking function...
This paper introduces NORX, a novel authenticated encryption scheme supporting arbitrary parallelism degree and based on ARX primitives, yet not using modular additions. NORX has a unique parallel architecture based on the monkeyDuplex construction, with an original domain separation scheme for a simple processing of header, payload and trailer dat...
Leader-based consensus algorithms are vulnerable to liveness and performance downgrade attacks. We explore the possibility of replacing leader election in Multi-Paxos with random exponential backoff (REB), a simpler approach that requires minimum modifications to the two phase Synod Paxos and achieves better resiliency under attacks. We propose Bax...
Distributed ledgers provide high availability and integrity , making them a key enabler for practical and secure computation of distributed workloads among mutually distrustful parties. Many practical applications also require strong confidentiality , however. This work enhances permissioned and permissionless blockchains with the ability to manage...
It is commonly held that asynchronous consensus is much more complex, difficult, and costly than partially-synchronous algorithms, especially without using common coins. This paper challenges that conventional wisdom with que sera consensus QSC, an approach to consensus that cleanly decomposes the agreement problem from that of network asynchrony....
Software-update mechanisms are critical to the security of modern systems, but their typically centralized design presents a lucrative and frequently attacked target. In this work, we propose CHAINIAC, a decentralized software-update framework that eliminates single points of failure , enforces transparency, and provides efficient verifi-ability of...
The Sponge function is known to achieve \(2^{c/2}\) security, where c is its capacity. This bound was carried over to its keyed variants, such as SpongeWrap, to achieve a \(\min \{2^{c/2},2^\kappa \}\) security bound, with \(\kappa \) the key length. Similarly, many CAESAR competition submissions were designed to comply with the classical \(2^{c/2}...
Humanitarian action, the process of aiding individuals in situations of crises, poses unique information-security challenges due to natural or manmade disasters, the adverse environments in which it takes place, and the scale and multi-disciplinary nature of the problems. Despite these challenges, humanitarian organizations are transitioning toward...
Designing a secure permissionless distributed ledger (blockchain) that performs on par with centralized payment processors, such as Visa, is a challenging task. Most existing distributed ledgers are unable to scale-out, i.e., to grow their total processing capacity with the number of validators; and those that do, compromise security or decentraliz...
Bias-resistant public randomness is a critical component in many (distributed) protocols. Generating public randomness is hard, however, because active adversaries may behave dishonestly to bias public random choices toward their advantage. Existing solutions do not scale to hundreds or thousands of participants, as is needed in many decentralized...
This doctoral thesis is dedicated to the analysis and the design of
symmetric cryptographic algorithms.
In the first part of the dissertation, we deal with fault-based attacks
on cryptographic circuits which belong to the field of active implementation
attacks and aim to retrieve secret keys stored on such chips. Our main focus
lies on the cryptan...
Designing block ciphers and hash functions in a manner that resemble the AES in many aspects has been very popular since Rijndael was adopted as the Advanced Encryption Standard. However, in sharp contrast to the MixColumns operation, the security implications of the way the state is permuted by the operation resembling ShiftRows has never been stu...
This paper analyses the cryptography used in the Open Smart Grid Protocol (OSGP). The authenticated encryption (AE) scheme deployed by OSGP is a non-standard composition of RC4 and a home-brewed MAC, the “OMA digest”.
We present several practical key-recovery attacks against the OMA digest. The first and basic variant can achieve this with a mere 1...
We present the first fault-based attack on the BelT block cipher family which has been adopted recently as a national standard of the Republic of Belarus. Our attack successfully recovers the secret key of the 128-bit, 192-bit and 256-bit versions of BelT using 4, 7 and 10 fault injections, respectively. We also show the results from our comprehens...
This paper presents NORX8 and NORX16, the 8-bit and 16-bit versions of the authenticated cipher NORX, one of the CAESAR candidates. These new versions are better suited for low-end systems—such as “internet of things” devices—than the original 32-bit and 64-bit versions: whereas 32-bit NORX requires 64 bytes of RAM or cache memory, NORX8 and NORX16...
The Sponge function is known to achieve 2c/2 security, where c is its capacity. This bound was carried over to keyed variants of the function, such as SpongeWrap, to achieve a min {2c/2,2κ
} security bound, with κ the key length. Similarly, many CAESAR competition submissions are designed to comply with the classical 2c/2 security bound. We show th...
We propose two extremely stealthy hardware Trojans that facilitate fault-injection attacks in cryptographic blocks. The Trojans are carefully inserted to modify the electrical characteristics of predetermined transistors in a circuit by altering parameters such as doping concentration and dopant area. These Trojans are activated with very low proba...
This paper presents a thorough analysis of the AEAD scheme NORX, focussing on differential and rotational properties. We first introduce mathematical models that describe differential propagation with respect to the non-linear operation of NORX. Afterwards, we adapt a framework previously proposed for ARX designs allowing us to automatise the searc...
State-of-the-art fault-based cryptanalysis methods are capable of breaking most recent ciphers after only a few fault injections. However, they require temporal and spatial accuracies of fault injection that were believed to rule out low-cost injection techniques such as voltage, frequency or temperature manipulation. We investigate selection of su...
This paper introduces Multi-Stage Fault Attacks, which allow Differential Fault Analysis of block ciphers having independent subkeys. Besides the specification of an algorithm implementing the technique, we show concrete applications to LED-128 and PRINCE and demonstrate that in both cases approximately 3 to 4 fault-injections are enough to reconst...
In this paper we propose an attack on block ciphers where we combine techniques derived from algebraic and fault based cryptanalysis. The recently introduced block cipher LED serves us as a target for our attack. We show how to construct an algebraic representation of the encryption map and how to cast the side channel information gained from a fau...
A fault-based attack on the new low-cost {\tt LED} block cipher is reported.
Parameterized sets of key candidates called fault tuples are generated, and
filtering techniques are employed to quickly eliminate fault tuples not
containing the correct key. Experiments for LED-64 show that the number
of remaining key candidates is practical for performi...
Algebraic attacks lead to the task of solving polynomial systems over 𝔽2. We study recent suggestions of using SAT-solvers for this task. In particular, we develop several strategies for converting the polynomial system to a set of CNF clauses. This generalizes the approach in [Bard, Courtois, Jefferson, Cryptology ePrint Archive 2007, 2007]. Moreo...